CHAPTER 3-1 Cisco AnyConnect VPN Client Administrator Guide OL-20841-03 3 Configuring AnyConnect Client Features The AnyConnect client includes two files that enable and configure client features—the AnyConnect client profile and the AnyConnect local policy. This chapter describes the AnyConnect client features and how to enable them in the profile, the local policy, and on the security appliance. AnyConnect Client Profile The AnyConnect profile is an XML file deployed by the security appliance during client installation and updates. This file provides basic information about connection setup, as well as advanced features such as Start Before Logon (SBL). Users cannot manage or modify profiles. You can configure the security appliance to deploy profiles globally for all AnyConnect client users, or based on the group policy of the user. Usually, a user has a single profile file. This profile contains all the hosts needed by a user, and additional settings as needed. In some cases, you might want to provide more than one profile for a given user. For example, someone who works from multiple locations might need more than one profile. Be aware that some of the profile settings, such as Start Before Login, control the connection experience at a global level. Other settings, such as those unique to a particular host, depend on the host selected. AnyConnect Local Policy The AnyConnect local policy specifies additional security parameters for the AnyConnect VPN client, including operating in a mode compliant with Level 1 of the Federal Information Processing Standard (FIPS). Other parameters in the AnyConnect Local Policy increase security by forbidding remote updates to prevent Man-in-the-Middle attacks and by preventing non-administrator or non-root users from modifying client settings. Unlike the client profile, the local policy is not deployed by the security appliance and must be deployed by an enterprise software deployment system. The first two sections of this chapter describe how to make changes to the AnyConnect client profile or local policy: • Configuring and Deploying the AnyConnect Client Profile, page 3-2 • Configuring the AnyConnect Local Policy, page 3-8 The following sections describe each client feature and the necessary changes to the AnyConnect client profile, local policy, and/or the security appliance software: • Configuring Start Before Logon, page 3-10 • Enabling FIPS and Additional Security, page 3-20 • Enabling Trusted Network Detection, page 3-25 • Configuring a Certificate Store, page 3-27 • Configuring Simplified Certificate Enrollment Protocol, page 3-31
Transcript
OL-20841-03
C H A P T E R 3
Configuring AnyConnect Client Features
The AnyConnect client includes two files that enable and configure client features—the AnyConnect client profile and the AnyConnect local policy. This chapter describes the AnyConnect client features and how to enable them in the profile, the local policy, and on the security appliance.
AnyConnect Client Profile
The AnyConnect profile is an XML file deployed by the security appliance during client installation and updates. This file provides basic information about connection setup, as well as advanced features such as Start Before Logon (SBL). Users cannot manage or modify profiles.
You can configure the security appliance to deploy profiles globally for all AnyConnect client users, or based on the group policy of the user. Usually, a user has a single profile file. This profile contains all the hosts needed by a user, and additional settings as needed. In some cases, you might want to provide more than one profile for a given user. For example, someone who works from multiple locations might need more than one profile. Be aware that some of the profile settings, such as Start Before Login, control the connection experience at a global level. Other settings, such as those unique to a particular host, depend on the host selected.
AnyConnect Local Policy
The AnyConnect local policy specifies additional security parameters for the AnyConnect VPN client, including operating in a mode compliant with Level 1 of the Federal Information Processing Standard (FIPS). Other parameters in the AnyConnect Local Policy increase security by forbidding remote updates to prevent Man-in-the-Middle attacks and by preventing non-administrator or non-root users from modifying client settings. Unlike the client profile, the local policy is not deployed by the security appliance and must be deployed by an enterprise software deployment system.
The first two sections of this chapter describe how to make changes to the AnyConnect client profile or local policy:
• Configuring and Deploying the AnyConnect Client Profile, page 3-2
• Configuring the AnyConnect Local Policy, page 3-8
The following sections describe each client feature and the necessary changes to the AnyConnect client profile, local policy, and/or the security appliance software:
• Configuring Start Before Logon, page 3-10
• Enabling FIPS and Additional Security, page 3-20
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile
• Configuring Certificate Matching, page 3-38
• Prompting Users to Select Authentication Certificate, page 3-45
• Configuring Backup Server List Parameters, page 3-47
• Configuring a Windows Mobile Policy, page 3-48
• Configuring a Server List, page 3-54
• Split DNS Fallback, page 3-57
• Scripting, page 3-57
• Proxy Support, page 3-62
• Allow AnyConnect Session from an RDP Session for Windows Users, page 3-63
• AnyConnect over L2TP or PPTP, page 3-64
Configuring and Deploying the AnyConnect Client ProfileAn AnyConnect client profile is an XML file cached to the endpoint file system. The client parameters, represented as XML tags in this file, name the security appliances with which to establish VPN sessions and enable client features.
You can create and save XML profiles using a text editor. The client installation contains one profile template (AnyConnectProfile.tmpl) you can copy, rename, and save as an XML file, then edit and use as a basis to create other profile files.
The profile file is downloaded from the security appliance to the remote user’s PC, in the directory: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile The location for Windows Vista is slightly different: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile. You must first import the profile(s) into the security appliance in preparation for downloading to the remote PC. You can import a profile using either ASDM or the command-line interface. The AnyConnectProfile.tmpl file automatically downloaded with the AnyConnect client is an example AnyConnect profile.
Note In order for the client initialization parameters in a profile to be applied to the client configuration, the security appliance the user connects to must appear as a host entry in that profile. If you do not add the security appliance address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the security appliance as a host entry in that profile, the certificate match is ignored. For more information about adding host entries to the profile, see Configuring a Server List, page 3-54.
This section covers the following topics:
• Default Client Profile, page 3-3
• Editing the Client Profile, page 3-4
• Validating the XML in the Profile, page 3-5
• Deploying the Client Profile to AnyConnect Clients, page 3-6
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile
Default Client ProfileYou configure profile attributes by modifying the XML profile template and saving it with a unique name. You can then distribute the profile file to end users at any time. The distribution mechanisms are bundled with the software distribution.
The following example shows a sample AnyConnect Profile file. The bold type identifies the values you can modify to customize the profile. In this example, blank lines separate the major groupings for legibility. Do not include these blank lines in your profile.
Caution Do not cut and paste the examples from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor such as Notepad or Wordpad.
Editing the Client ProfileRetrieve a copy of the profile file (AnyConnectProfile.xml) from a client installation. Make a copy and rename the copy with a name meaningful to you. Alternatively, you can modify an existing profile. See Table 1-4, “Paths to the Profile Files on the Endpoint” to identify the profile path for each supported operating system.
Edit the profiles file. The example below shows the contents of the profiles file (AnyConnectProfile.xml) for Windows:
<?xml version="1.0" encoding="UTF-8"?><!-- This is a template file that can be configured to support the identification of secure hosts in your network.
The file needs to be renamed to CiscoAnyConnectProfile.xml.
The svc profiles command imports updated profiles for downloading to client machines.--><Configuration> <ClientInitialization> <UseStartBeforeLogon>false</UseStartBeforeLogon> </ClientInitialization> <HostEntry> <HostName></HostName> <HostAddress></HostAddress> </HostEntry> <HostEntry> <HostName></HostName> <HostAddress></HostAddress> </HostEntry></Configuration>
HostName identifies the secure gateway or cluster to the user. It appears on the “Connect to” drop-down list on the Connection tab of the user GUI. It can be any name you want to use. HostAddress specifies the actual hostname and domain (e.g., hostname.example.com) of the secure gateway to be reached. (While this value may instead specify an IP address, we do not recommend it.) The value of HostName can match the hostname portion of the HostAddress value, but matching the name is not a requirement because the parent tag HostEntry associates these values. Matching the hostname in both child tags does, however, simplify the association for administrators testing and troubleshooting VPN connectivity.
Note Do not cut and paste the examples from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor such as Notepad or Wordpad.
Use the template that appears after installing AnyConnect on a workstation: \Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl
Validating the XML in the ProfileIt is important to validate the XML in the AnyConnect client profile you create. Use an online validation tool or the profile import feature in ASDM. For validation, you can use the AnyConnectProfile.xsd found in the same directory as the profile template. This .xsd file is the XML schema definition for the client profile, and is intended to be maintained by a Secure Gateway administrator and then distributed with the client software.
Note Validate the profile before importing it into the security appliance. Doing so makes client-side validation unnecessary.
The XML file based on this schema can be distributed to clients at any time, either as a bundled file with the software distribution or as part of the automatic download mechanism. The automatic download mechanism is available only with certain Cisco Secure Gateway products.
In Microsoft Windows with MSXML 6.0, the AnyConnect client validates the XML profile against the profile XSD schema and logs any validation failures. MSXML 6.0 ships with Windows 7 and Vista. It is available for download from Microsoft for Windows XP from the following link:
When modifying a profile, be sure to check your typing and make sure the capitalization matches the capitalization in the XML tag names. This is a common error that results in a profile failing validation. For example, attempting to validate a profile that has the following preference entry:
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile
Figure 3-1 XML Validation Error
In this example, the value False (initial letter capitalized) should have been false (all lowercase), and the error indicates this.
Deploying the Client Profile to AnyConnect ClientsFollow these steps to configure the security appliance to deploy a profile with the AnyConnect client:
Step 1 Identify to the security appliance the client profiles file to load into cache memory.Go to Configuration > Remote Access VPN > Network (Client) Access > Advanced > Client Settings (Figure 3-2).
Step 2 In the SSL VPN Client Profiles area, click Add. The Add SSL VPN Client Profiles dialog box appears.
Figure 3-2 Adding or Editing an AnyConnect VPN Client Profile
Step 3 Enter the profile name and profile package names in their respective fields. To browse for a profile package name, click Browse Flash. The Browse Flash dialog box appears (Figure 3-3).
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile
Figure 3-3 Browse Flash Dialog Box
Step 4 Select a file from the table. The file name appears in the File Name field below the table. Click OK. The file name you selected appears in the Profile Package field of the Add or Edit SSL VPN Client Profiles dialog box.
Click OK in the Add or Edit SSL VPN Client dialog box. This makes profiles available to group policies and username attributes of client users.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring the AnyConnect Local Policy
Step 5 To specify a profile for a group policy, go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. (Figure 3-4)
Figure 3-4 Specify the Profile to use in the Group Policy
Step 6 Deselect Inherit and select a Client Profile to Download from the drop-down list.
Step 7 When you have finished with the configuration, click OK.
Configuring the AnyConnect Local PolicyThe AnyConnect Local Policy specifies additional security parameters for the AnyConnect VPN client, including operating in a mode compliant with Level 1 of the Federal Information Processing Standard (FIPS), 140-2, a U.S. government standard for specific security requirements for cryptographic modules. The FIPS 140-2 standard applies to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems.
Other parameters in the AnyConnect Local Policy increase security by forbidding remote updates to prevent Man-in-the-Middle attacks and by preventing non-administrator or non-root users from modifying client settings.
AnyConnect Local Policy parameters reside in an XML file called AnyConnectLocalPolicy.xml. This file is not deployed by the ASA 5500 Series security appliance. You must deploy this file using corporate software deployment systems or change the file manually on a user computer.
Changing Parameters for Windows Clients using our MST FileFor Windows installations, you can apply the MST file we provide to the standard MSI installation file to change AnyConnect Local Policy parameters, including enabling FIPS mode. The installation generates an AnyConnect Local Policy file with FIPS enabled.
For information about where you can download our MST, see the licensing information your received for the FIPS client.
The MST file contains the following custom rows. The names correspond to the parameters in AnyConnect Local Policy file (AnyConnectLocalPolicy.xml). See Table 3-3 for the descriptions and values you can set for these parameters:
Step 3 Save the file as AnyConnectLocalPolicy.xml and deploy the file to remote computers using corporate an IT software deployment system.
Configuring Start Before LogonStart Before Logon (SBL) forces the user to connect to the enterprise infrastructure over a VPN connection before logging on to Windows by starting the AnyConnect client before the Windows login dialog box appears. After authenticating to the security appliance, the Windows login dialog appears, and the user logs in as usual. SBL is only available for Windows and lets you control the use of login scripts, password caching, mapping network drives to local drives, and more.
Note The AnyConnect client does not support SBL for Windows XP x64 (64-bit) Edition.
Table 3-1 Operating System and AnyConnect Local Policy File Installation Path
Operating System Installation Path
Windows 7 C:\ProgramData\Cisco\Cisco AnyConnect VPN Client
Windows Vista C:\ProgramData\Cisco\Cisco AnyConnect VPN Client
Windows XP C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client
Windows Mobile %PROGRAMFILES%\Cisco AnyConnect VPN Client
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
To enable the SBL feature, you must make changes to the AnyConnect client profile and enable the security appliance to download a client module for SBL.
Reasons you might consider for enabling SBL for your users include:
• The user’s computer is joined to an Active Directory infrastructure.
• The user cannot have cached credentials on the computer (the group policy disallows cached credentials).
• The user must run login scripts that execute from a network resource or need access to a network resource.
• A user has network-mapped drives that require authentication with the Microsoft Active Directory infrastructure.
• Networking components (such as MS NAP/CS NAC) exist that might require connection to the infrastructure.
Within the AnyConnect client, the only configuration you do for SBL is enabling the feature. Network administrators handle the processing that goes on before logon based upon the requirements of their situation. Logon scripts can be assigned to a domain or to individual users. Generally, the administrators of the domain have batch files or the like defined with users or groups in Microsoft Active Directory. As soon as the user logs on, the login script executes.
SBL creates a network that is equivalent to being on the local corporate LAN. For example, with SBL enabled, since the user has access to the local infrastructure, the logon scripts that would normally run when a user is in the office would also be available to the remote user.
For information about creating logon scripts, see the following Microsoft TechNet article:
In another example, a system might be configured to not allow cached credentials to be used to log on to the computer. In this scenario, users must be able to communicate with a domain controller on the corporate network for their credentials to be validated prior to gaining access to the computer.
SBL requires a network connection to be present at the time it is invoked. In some cases, this might not be possible, because a wireless connection might depend on credentials of the user to connect to the wireless infrastructure. Since SBL mode precedes the credential phase of a login, a connection would not be available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across login, or another wireless authentication needs to be configured, for SBL to work.
AnyConnect is not compatible with fast user switching.
This section covers the following topics:
• Installing Start Before Logon Components (Windows Only), page 3-11
• Configuring Start Before Logon (PLAP) on Windows 7 and Vista Systems, page 3-15
Installing Start Before Logon Components (Windows Only)The Start Before Logon components must be installed after the core client has been installed. Additionally, the AnyConnect 2.2 Start Before Logon components require that version 2.2, or later, of the core AnyConnect client software be installed. If you are pre-deploying the AnyConnect client and the Start Before Logon components using the MSI files (for example, you are at a big company that has
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
its own software deployment—Altiris or Active Directory or SMS.) then you must get the order right. The order of the installation is handled automatically when the administrator loads AnyConnect if it is web deployed and/or web updated.
Differences Between Windows-Vista and Pre-Vista Start Before Logon
The procedures for enabling SBL differ slightly on Windows Vista systems. Pre-Vista systems use a component called VPNGINA (which stands for virtual private network graphical identification and authentication) to implement SBL. Vista systems use a component called PLAP to implement SBL.
In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as collecting credentials or connecting to network resources, prior to login. PLAP provides start Before Logon functions on Windows Vista. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.
Note In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista systems.
In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.
A GINA is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or to activate any Network Connections (PLAP components) using the Network Connect button in the lower-right corner of the window.
The sections that immediately follow describe the settings and procedures for both VPNGINA and PLAP SBL. For a complete description of enabling and using the SBL feature (PLAP) on a Windows Vista platform, see Configuring Start Before Logon (PLAP) on Windows 7 and Vista Systems, page 3-15.
Profile Parameters for Enabling SBL
The element value for UseStartBeforeLogon allows this feature to be turned on (true) or off (false). If the you set this value to true in the profile, additional processing occurs as part of the logon sequence. See the Start Before Logon description for additional details.
You enable SBL by setting the <UseStartBefore Logon> value in the AnyConnect profile to true:
To revert to the default, in which SBL is not user-controllable, set the UserControllable preference within the UseStartBeforeLogon preference to false.
Enabling SBL on the Security Appliance
To minimize download time, the AnyConnect client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports. To enable SBL, you must specify the SBL module name in group policy on the security appliance.
In addition, you must ensure that the UseStartBeforeLogon parameter, within the profile file you specified for the group policy, is set to true. For example:
Note The user must reboot the remote computer before SBL takes effect.
To specify the SBL module on the security appliance, follow this procedure:
Step 1 Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies (Figure 3-5).
Step 2 Select a group policy and click Edit. The Edit Internal Group Policy window displays.
Step 3 Select Advanced > SSL VPN Client in the left-hand navigation pane. SSL VPN settings display.
Step 4 Uncheck the Inherit box for the Optional Client Module for Download setting.
Step 5 Select the Start Before Logon module in the drop-list.
2. Insert the parameter value between the beginning and closing tags; for example, <UseStartBeforeLogon>true</UseStartBeforeLogon>.
3. The user controllable attribute is defined inside the preference tags; for example, <UseStartBeforeLogon UserControllable=”true”>true</UseStartBeforeLogon>. Its possible values are “true” or “false”, and these determine which preferences are overridden by the preferences*.xml files. This is an optional attribute, and if not defined, the default value is used. Preferences made UserControllable=”true” in the profile are visible in the Preferences dialog.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
Figure 3-5 Specifying the SBL Module to Download
Using the Manifest File
The AnyConnect package that is uploaded on the security appliance contains a file called VPNManifest.xml. The following example shows some sample content of this file:
The security appliance has stored on it configured profiles, as explained in Step 1 above, and it also stores one or multiple AnyConnect packages that contain the AnyConnect client itself, downloader utility, manifest file, and any other optional modules or supporting files.
When a remote user connects to the security appliance using WebLaunch or an previously-installed client, the downloader is downloaded first and run, and it uses the manifest file to ascertain whether there is a existing client on the remote user’s computer that needs to be upgraded, or whether a fresh installation is required. The manifest file also contains information about whether there are any optional modules that must be downloaded and installed—in this case, the VPNGINA. The installation of
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
VPNGINA is activated if the group-policy of the user specifies SBL as an optional module to download. If it is, the AnyConnect client and VPNGINA are installed, and the user sees the AnyConnect Client at the next reboot, prior to Windows Domain logon.
When the client installs, a sample profile is provided on the client computer at this location:
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco\AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl
Troubleshooting SBL
Use the following procedure if you encounter a problem with SBL:
Step 1 Ensure that the profile is being pushed.
Step 2 Delete prior profiles (search for them on the hard drive to find the location, *.xml).
Step 3 Using Windows Add/Remove Programs, uninstall the Cisco AnyConnect Client Start Before Login Components. Reboot the computer and retest.
Step 4 Clear the user’s AnyConnect log in the Event Viewer and retest.
Step 5 Web browse back to the security appliance to install the client again.
Step 6 Reboot once. On the next reboot, you should be prompted with the Start Before Logon prompt.
Step 7 Send the AnyConnect event log to Cisco in .evt format
Step 8 If you see the following error, delete the user profile:
Description: Unable to parse the profile C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\VABaseProfile.xml. Host data not available.
Step 9 Go back to the .tmpl file, save a copy as an .xml file, and use that XML file as the default profile.
Configuring Start Before Logon (PLAP) on Windows 7 and Vista SystemsAs on the other Windows platforms, the Start Before Logon (SBL) feature initiates a VPN connection before the user logs in to Windows. This ensures users connect to their corporate infrastructure before logging on to their computers. Microsoft Windows 7 and Vista use different mechanisms than Windows XP, so the AnyConnect client SBL feature on the Windows 7 and Vista uses a different mechanism well.
In the AnyConnect client, the new SBL feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets programmatic network administrators perform specific tasks, such as collecting credentials or connecting to network resources, prior to login. PLAP provides SBL functions on Windows 7 and Vista. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports x86 and x64.
Note In this section, VPNGINA refers to the Start Before Logon feature for Windows XP, and PLAP refers to the Start Before Logon feature for Windows 7 and Vista.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
Start Before Logon Differences in Windows OSs
On Windows XP, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.
On Windows XP, the GINA component is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or to activate any Network Connections (PLAP components) using the Network Connect button in the lower-right corner of the window.
Installing PLAP
The vpnplap.dll and vpnplap64.dll components are part of the existing GINA installation package, so you can load a single, add-on Start Before Logon package on the security appliance, which then installs the appropriate component for the target platform. PLAP is an optional feature. The installer software detects the underlying operating system and places the appropriate DLL in the system directory. For systems prior to Windows Vista, the installer installs the vpngina.dll component on 32-bit versions of the operating system. On Windows Vista, the installer determines whether the 32-bit or 64-bit version of the operating system is in use and installs the appropriate PLAP component.
Note If you uninstall the AnyConnect client while leaving the VPNGINA or PLAP component installed, the VPNGINA or PLAP component is disabled and not visible to the remote user.
Once installed, PLAP is not active until you modify the user profile <profile.xml> file to activate start before logon. See Profile Parameters for Enabling SBL, page 3-12. After activation, the user invokes the Network Connect component by clicking Switch User, then the Network Connect icon in the lower, right-hand part of the screen.
Note If the user mistakenly minimizes the user interface, the user can restore it by pressing the Alt+Tab key combination.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
Logging on to a Windows Vista or Windows 7 PC using PLAP
Users can log on to Windows Vista or Windows 7 when PLAP is enabled, by doing the following steps. The examples screens are for Windows Vista. (These steps are Microsoft requirements):
Step 1 At the Windows Vista start window, press the Ctrl+Alt+Delete key combination (Figure 3-6).
Figure 3-6 Vista Login Window Showing the Network Connect Button
This displays the Vista logon window with a Switch User button (Figure 3-7).
Figure 3-7 Vista Logon Window with Switch User Button
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
Step 2 Click Switch User (circled in red in this figure). This displays a Vista Network Connect window (Figure 3-8) with the network login icon in the lower-right corner. The network login icon is circled in red in Figure 3-8.
Note If the user is already connected through an AnyConnect connection and clicks Switch User, that VPN connection remains. If the user clicks Network Connect, the original VPN connection terminates. If the user clicks Cancel, the VPN connection terminates.
Figure 3-8 Vista Network Connect Window
Step 3 Click the Network Connect button in the lower-right corner of the window to launch the AnyConnect client. This displays the AnyConnect client logon window (Figure 3-9).
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Start Before Logon
Step 4 Use this AnyConnect GUI to log in to the AnyConnect client as usual.
Note This example assumes the AnyConnect client is the only installed connection provider. If there are multiple providers installed, the user must select the one to use from the items displayed on this window.
Step 5 When the user has successfully connected, the user sees a screen similar to the Vista Network Connect window, except that it has the Microsoft Disconnect button in the lower-right corner (Figure 3-10). This is the only indication that the connection is successful.
Figure 3-10 Disconnect Window
Click the icon associated with your login; in this example, click VistaAdmin to complete your logging on to the machine.
Caution Once the connection is established, the user has an unlimited time in which to log on. If the user forgets to log on after connecting, the tunnel will be up indefinitely.
Disconnecting from the AnyConnect Client Using PLAP
After successfully connecting the tunnel, the PLAP component returns to the original window, this time with a Disconnect button displayed in the lower-right corner of the window (circled in Figure 3-10).
When the user clicks Disconnect, the VPN tunnel disconnects.
In addition to explicitly disconnecting in response to the Disconnect button, the tunnel also disconnects in the following situations:
• When a user logs on to a PC using PLAP but then presses Cancel.
• When the PC is shut down before the user logs on to the system.
This behavior is a function of the Windows Vista PLAP architecture, not the AnyConnect client.
Chapter 3 Configuring AnyConnect Client FeaturesEnabling FIPS and Additional Security
Enabling FIPS and Additional SecurityThe AnyConnect Local Policy specifies additional security parameters for the AnyConnect VPN client, including operating in a mode compliant with Level 1 of the Federal Information Processing Standard (FIPS), 140-2, a U.S. government standard for specific security requirements for cryptographic modules. The FIPS 140-2 standard applies to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems. The FIPS feature is licensed for the security appliance on a per-model basis.
Other parameters in the AnyConnect Local Policy increase security by forbidding remote updates to prevent Man-in-the-Middle attacks and by preventing non-administrator or non-root users from modifying client settings.
AnyConnect Local Policy parameters reside in an XML file called AnyConnectLocalPolicy.xml. This file is not deployed by the ASA 5500 Series security appliance. You must deploy this file using corporate software deployment systems or change the file manually on a user computer.
For Windows, we provide a Microsoft Transform (MST) file that you can apply to the standard MST installation file to enable FIPS. The MST does not change other AnyConnect Local Policy parameters. You can also use our Enable FIPS tool, a command line tool that can only be run on Windows using administrator privileges or as a root user for Linux and Mac. You can download our MST or the Enable FIPS tool from the Software Download page for the AnyConnect client.
Alternatively, you can obtain a copy of the AnyConnect Local Policy file from a client installation, manually edit the parameters, and deploy it to user computers.
The following sections describe all these procedures:
• AnyConnect Local Policy File Parameters and Values, page 3-20
• AnyConnect Local Policy File Example, page 3-9
• Changing Parameters for Windows Clients using our MST File, page 3-9
• Changing Parameters Manually in the AnyConnect Local Policy File, page 3-10
• Changing Parameters for all Operating Systems using our Enable FIPS Tool, page 3-24
AnyConnect Local Policy File Parameters and Values
Note If you omit a policy parameter in the profile file, the feature resorts to default behavior.
Chapter 3 Configuring AnyConnect Client FeaturesEnabling FIPS and Additional Security
Table 3-3 describes the parameters in the AnyConnect Local Policy file and their values:.
Table 3-3 AnyConnect Local Policy File and their Values
Parameter and Description Values and Value Formats
acversion
Specifies the minimum version of the AnyConnect client capable of interpreting all of the parameters in the file. If a client older than the version specified reads the file, it issues an event log warning.
The format is acversion="<version number>".
xmlns
The XML namespace specifier. Most administrators do not change this parameter.
The format is a URL, for example:
xmlns=http://schemas.xmlsoap.org/encoding/
xsi:schemaLocation
The XML specifier for the schema location. Most administrators do not change this parameter.
Enables FIPS mode for the client. The client uses only algorithms and protocols approved by the FIPS standard.
true—Enables FIPS mode.
false—Disables FIPS mode (default).
BypassDownloader
Disables the launch of the VPNDownloader.exe module, which is responsible for detecting the presence of and updating the local versions of the dynamic content.
true—The client does not check for any dynamic content present on the security appliance, including profile updates, translations, customization, optional modules, and core software updates.
false—The client checks for dynamic content present on the security appliance (default).
Note If you configure client profiles on the security appliance, they must be installed on the client prior to the client connecting to the security appliance with BypassDownloader set to true. Because the profile can contain administrator defined policy, the BypassDownloader true setting is only recommended if you do not rely on the security appliance to centrally manage client profiles.
RestrictWebLaunch
Prevents users from using a non-FIPS-compliant browser to obtain the security cookie used to initiate an AnyConnect tunnel by forbidding the use of WebLaunch and forcing users to connect using the AnyConnect FIPS-compliant stand-alone connection mode.
true—WebLaunch attempts fail and the client displays an informative message to the user.
false—Permits WebLaunch (default—behavior consistent with AnyConnect 2.3 and earlier).
Chapter 3 Configuring AnyConnect Client FeaturesEnabling FIPS and Additional Security
StrictCertificateTrust
When authenticating remote security gateways, the AnyConnect client disallows any certificate that it cannot verify. Instead of prompting the user to accept these certificates, the client fails to connect to security gateways using self signed certificates.
true—The client fails to connect to security gateways that use invalid, mismatched, or untrusted certificates which require user interaction.
false—The client prompts the user to accept the certificate (default—behavior consistent with AnyConnect 2.3 and earlier).
RestrictPreferenceCaching
By design, the AnyConnect client does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.
Credentials—The user name and second user name are not cached.
Thumbprints—The client and server certificate thumbprints are not cached.
CredentialsAndThumbprints—certificate thumbprints and user names are not cached.
All—No automatic preferences are cached.
false—All preferences are written to disk (default—behavior consistent with AnyConnect 2.3 and earlier).
RestrictTunnelProtocols (currently not supported)
Forbids the use of certain tunnel protocol families to establish a connection to the security appliance.
TLS—The client only uses IKEv2 and ESP to establish the tunnel, and will not use TLS/DTLS to communicate information to the secure gateway.
IPSec—The client only uses TLS/DTLS for authentication and tunneling.
false—Any encrypted protocol may be used in connection establishment (default).
Note If you forbid the use of TLS or other protocols, certain advanced features, such as the automatic upgrading of Secure Desktop, may not work.
ExcludeFirefoxNSSCertStore (Linux and Mac)
Permits or excludes the client from using the Firefox NSS certificate store to verify server certificates. The store has information about where to obtain certificates for client certificate authentication.
true—Excludes the Firefox NSS certificate store.
false—Permits the Firefox NSS certificate store (default).
ExcludePemFileCertStore (Linux and Mac)
Permits or excludes the client from using the PEM file certificate store to verify server certificates. The store uses FIPS-capable OpenSSL and has information about where to obtain certificates for client certificate authentication. Permitting the PEM file certificate store ensures remote users are using a FIPS-compliant certificate store.
true—Excludes the PEM file certificate store.
false—Permits the PEM file certificate store (default).
Table 3-3 AnyConnect Local Policy File and their Values (continued)
Parameter and Description Values and Value Formats
Enabling FIPS with our MST FileFor Windows installations, you can apply the MST file we provide to the standard MSI installation file to enable FIPS in the AnyConnect Local Policy. The MST only enables FIPS and does not change other parameters. The installation generates an AnyConnect Local Policy file with FIPS enabled.
For information about where you can download our MST, see the licensing information you received for the FIPS client.
Changing any Local Policy Parameter with your own MST FileYou can create your own MST file to change any local policy parameters. Create your own MST file using the following custom rows. The names correspond to the parameters in AnyConnect Local Policy file (AnyConnectLocalPolicy.xml). See Table 3-3 for the descriptions and values you can set for these parameters:
• LOCAL_POLICY_BYPASS_DOWNLOADER
• LOCAL_POLICY_FIPS_MODE
• LOCAL_POLICY_RESTRICT_PREFERENCE_CACHING
• LOCAL_POLICY_RESTRICT_TUNNEL_PROTOCOLS
ExcludeMacNativeCertStore (Mac only)
Permits or excludes the client from using the Mac native (keychain) certificate store to verify server certificates.
true—Excludes the Mac native certificate store.
false—Permits the Mac native certificate store (default).
ExcludeWinNativeCertStore (Windows only, currently not supported)
Permits or excludes the client from using the Windows Internet Explorer native certificate store to verify server certificates.
true—Excludes the Windows Internet Explorer certificate store.
false—Permits the Windows Internet Explorer certificate store (default).
Table 3-3 AnyConnect Local Policy File and their Values (continued)
Parameter and Description Values and Value Formats
Chapter 3 Configuring AnyConnect Client FeaturesEnabling FIPS and Additional Security
• LOCAL_POLICY_RESTRICT_WEB_LAUNCH
• LOCAL_POLICY_STRICT_CERTIFICATE_TRUST
Note The AnyConnect client installation does not automatically overwrite an existing local policy file on the user computer. You must delete the existing policy file on user computers first, then the client installer can create the new policy file.
Changing Parameters for all Operating Systems using our Enable FIPS ToolFor all operating systems, you can use our Enable FIPS tool to create an AnyConnect Local Policy file with FIPS enabled. The Enable FIPS tools is a command line tool that can only be run on Windows using administrator privileges or as a root user for Linux and Mac.
For information about where you can download the Enable FIPS tool, see the licensing information you received for the FIPS client.
Table 3-4 shows the policy settings you can specify and the arguments and syntax to use. The behavior for the argument values is the same behavior specified for the parameters in the AnyConnect Local Policy file in Table 3-3.
You run the Enable FIPS tool by entering the command EnableFIPS <arguments> from the command line of the computer. The following usage notes apply to the Enable FIPS tool:
• If you do not supply any arguments, the tool enables FIPS and restarts the vpnagent service (Windows) or the vpnagent daemon (Mac and Linux).
• Separate multiple arguments with spaces.
The following example shows the Enable FIPS tool command, run on a Windows computer:
EnableFIPS rwl=false sct=true bd=true fm=false
The next example shows the command, run on a Linux or Mac computer:
./EnableFIPS rwl=false sct=true bd=true fm=false
Table 3-4 shows the policy settings and the arguments for the Enable FIPS tool.
Table 3-4 Policy Settings and Arguments for the Enable FIPS Tool
Step 3 Save the file as AnyConnectLocalPolicy.xml and deploy the file to remote computers using corporate an IT software deployment system.
Enabling Trusted Network DetectionTrusted Network Detection (TND) gives you the ability to have the AnyConnect client automatically disconnect a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network.
If a client is also running Start Before Logon (SBL), and the user moves into the trusted network, the SBL window displayed on the computer automatically closes.
Table 3-5 Operating System and AnyConnect Local Policy File Installation Path
Operating System Installation Path
Windows %APPDATA%\Cisco\Cisco AnyConnect VPN Client1
1. %APPDATA% refers to the environmental variable by the same name. This is C:\Documents and Settings\All Users on most Win XP systems and C:\ProgramData on Windows Vista.
Windows Mobile %PROGRAMFILES%\Cisco AnyConnect VPN Client
TND does not interfere with the ability of the user to manually establish a VPN connection. It does not disconnect a VPN connection that the user starts manually in the trusted network. TND only disconnects the VPN session if the user first connects in an untrusted network and moves into a trusted network. For example, TND disconnects the VPN session if the user makes a VPN connection at home and then moves into the corporate office.
Because the TND feature controls the AnyConnect client GUI and automatically initiates connections, the GUI should run at all times. If the user exits the GUI, TND does not automatically start the VPN connection.
The AnyConnect client supports TND on Windows XP and later, and Mac OS X.
You configure TND in the AnyConnect profile (AnyConnectProfile.xml). No changes are required to the security appliance configuration. Table 3-6 shows the profile parameters to configure TND and their values:
Note If you configure both TrustedDNSDomains and TrustedDNSServers, users must match both settings to be considered in the trusted network.
Table 3-6 Trusted Network Detection Parameters
Name Possible Values and Descriptions
AutomaticVPNPolicy true—Enables TND. Automatically manages when a VPN connection should be started or stopped according to the TrustedNetworkPolicy and UntrustedNetworkPolicy parameters.
false—Disables TND. VPN connections can only be started and stopped manually.
Note AutomaticVPNPolicy does not prevent users from manually controlling a VPN connection.
TrustedNetworkPolicy Disconnect—Disconnects the VPN connection in the trusted network.
DoNothing—Takes no action in the trusted network.
UntrustedNetworkPolicy Connect—Initiates the VPN connection (if none exists) in the untrusted network.
DoNothing—Takes no action in the untrusted network.
Note Setting both TrustedNetworkPolicy and UntrustedNetworkPolicy to DoNothing disables TND.
TrustedDNSDomains A list of DNS suffixes (a string separated by commas) that a network interface may have when the client is in the trusted network. The following is an example of a TrustedDNSDomain string:
*.cisco.com
Wildcards (*) are supported for DNS suffixes.
TrustedDNSServers A list of DNS server addresses (a string separated by commas) that a network interface may have when the client is in the trusted network. The following is an example of a TrustedDNSServers string:
161.44.124.*,64.102.6.247
Wildcards (*) are supported for DNS server addresses.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Certificate Store
The following text shows the ClientInitialization section of the profile file with the TND parameters configured. In the example, the client is configured to automatically disconnect the VPN connection when in the trusted network, and to initiate the VPN connection in the untrusted network:
Users with Multiple Profiles Connecting to Multiple Security AppliancesMultiple profiles on a user computer may present problems if the user alternates connecting to a security appliance that has TND enabled and to one that does not. If the user has connected to a TND-enabled security appliance in the past, that user has received a TND-enabled profile. If the user reboots the computer when out of the trusted network, the GUI of the TND-enabled client displays and attempts to connect to the security appliance it was last connected to, which could be the one that does not have TND enabled.
If the client connects to the TND-enabled security appliance, and the user wishes to connect to the non-TND security appliance, the user must manually disconnect and then connect to the non-TND security appliance. Please consider these problems before enabling TND when the user may be connecting to security appliances with and without TND.
The following workarounds will help you prevent this problem:
• Enable TND in the client profiles loaded on all your security appliances on your corporate network.
• Create one profile listing all your security appliances in the host entry section, and load that profile on all your security appliances.
• If users do not need to have multiple, different profiles, use the same profiles name for the profiles on all your security appliances. The security appliance overrides the existing profile.
Configuring a Certificate StoreYou can configure how AnyConnect locates and handles certificate stores on the local host. Depending on the platform, this may involve limiting access to a particular store or allowing the use of files instead of browser based stores. The purpose is to direct AnyConnect to the desired location for Client certificate usage as well as Server certificate verification.
Table 3-7 DNS Suffix Matching Examples
To Match this DNS Suffix: Use this Value for TrustedDNSDomains:
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Certificate Store
For Windows, you can control in which certificate store the AnyConnect client searches for certificates. You may want to configure the client to restrict certificate searches to only the user store or only the machine store. For Mac and Linux, you can create a certificate store for PEM-format certificate files.
These certificate store configurations are stored in the AnyConnect client profile.
Note You can also configure more certificate store restrictions in the AnyConnect local policy. The AnyConnect local policy is an XML file you deploy using enterprise software deployment systems and it is separate from the AnyConnect client profile. The settings in the file restrict the use of the Firefox NSS (Linux and Mac), PEM file, Mac native (keychain) and Windows Internet Explorer native certificate stores. For more information, see Enabling FIPS and Additional Security, page 3-20.
The following sections describe the procedures for configuring certificate stores and controlling their use:
• Controlling the Certificate Store on Windows, page 3-28
• Examples of <CertificateStore> and <CertificateStoreOverride> Usage, page 3-29
• Creating a PEM Certificate Store for Mac and Linux, page 3-29
• Restricting Certificate Store Use, page 3-31
Controlling the Certificate Store on WindowsWindows provides separate certificate stores for the local machine and for the current user. Users with administrative privileges on the computer have access to both certificate stores. You can specify in which certificate store the AnyConnect client searches for certificates.
You can configure certificate store lookups by adding <CertificateStore> as a child element of the <ClientInitialization> element in the AnyConnect client profile.
If the <CertificateStore> element is not in the profile, AnyConnect uses all available certificate stores. This setting has no effect on non-Windows platforms.
The <CertificateStore> element has three possible values, these values are case-sensitive:
• All—(default) Search all certificate stores.
• Machine—Search the machine certificate store (the certificate identified with the computer).
• User—Search the user certificate store.
If users do not have administrative privileges on their computers, the only certificate store their account has access to is the user store. You can configure an additional element <CertificateStoreOverride>, also as a child of <ClientInitialization>, which grants those users access to the machine certificate store, allowing AnyConnect to search that store as well.
<CertificateStoreOverride> has two possible settings, these values are case-sensitive:
• true—Allows AnyConnect to search a computer’s machine certificate store even when the user does not have administrative privileges.
• false—(default) Does not allow AnyConnect to search the machine certificate store of a user without administrative privileges.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Certificate Store
Examples of <CertificateStore> and <CertificateStoreOverride> Usage<CertificateStore> and <CertificateStoreOverride> are both children of <ClientInitialization>. The following example shows these elements in the correct format and illustrates the default values explained in Table 3-8.
Creating a PEM Certificate Store for Mac and LinuxThe AnyConnect client supports certificate authentication using a Privacy Enhanced Mail (PEM) formatted file store. Instead of relying on browsers to verify and sign certificates, the client reads PEM-formatted certificate files from the file system on the remote computer, and verifies and signs them.
Table 3-8 Examples of Certificate Store and Certificate Store Override Configurations
<CertificateStore> Value
<CertificateStoreOverride>Value AnyConnect Action
All false AnyConnect searches all certificate stores. AnyConnect is not allowed to access the machine store when the user has non-administrative privileges.
These are the default values. This setting is appropriate for the majority of cases. Do not change this setting unless you have a specific reason or scenario requirement to do so.
All true AnyConnect searches all certificate stores. AnyConnect is allowed to access the machine store when the user has non-administrative privileges.
Machine true AnyConnect searches the machine certificate store. AnyConnect is allowed to search the machine store when the user has non-administrative privileges.
Machine false AnyConnect searches the machine certificate store. AnyConnect is not allowed to search the machine store when the user has non-administrative privileges.
Note This configuration might be used when only a limited group of users are allowed to authenticate using a certificate.
User not applicable AnyConnect searches in the user certificate store only. The certificate store override is not applicable because non-administrative accounts have access to this certificate store.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Certificate Store
Restrictions for PEM File Filenames
In order for the AnyConnect client to acquire the appropriate certificates under all circumstances, ensure that your files meet the following requirements:
• All certificate files must end with the extension .pem.
• All private key files must end with the extension .key.
• A client certificate and its corresponding private key must have the same filename. For example: client.pem and client.key
Note Instead of keeping copies of the PEM files, you can use soft links to PEM files.
Storing User Certificates
To create the PEM file certificate store, create the paths and folders listed in Table 9. Place the appropriate certificates in these folders:
Note The requirements for machine certificates are the same as for PEM file certificates, with the exception of the root directory. For machine certificates, substitute /opt/.cisco for ~/.cisco. Otherwise, the paths, folders, and types of certificates listed in Table 9 apply.
Table 9 PEM File Certificate Store Folders and Types of Certificates Stored
PEM File Certificate Store Folders Type of Certificates Stored
Restricting Certificate Store UseYou can configure additional restrictions on the client using certificate stores by setting parameters in the AnyConnect local policy that restrict the use of the Firefox NSS (Linux and Mac), PEM file, Mac native (keychain) and Windows Internet Explorer native certificate stores. Table 3-10 shows the parameters that control these restrictions:
Configuring Simplified Certificate Enrollment ProtocolThe AnyConnect standalone client can employ the Simple Certificate Enrollment Protocol (SCEP) to provision and renew a certificate used for client authentication. The goal of SCEP is to support the secure issuance of certificates to network devices in a scalable manner, using existing technology whenever possible.
In our implementation of the SCEP protocol, the AnyConnect client sends a certificate request and the certificate authority (CA) automatically accepts or denies the request. (The SCEP protocol also allows for a method where the client requests a certificate and then polls the CA until it receives an accept or deny response. The polling method is not implemented in this release.)
AnyConnect administrators configure the use of SCEP requests in the client profile file. This file is an XML file downloaded with the client that contains settings that affect client behavior. Table 3-11 describes the profile elements used to configure the SCEP feature.
Use of the SCEP protocol is supported on all operating systems that support the AnyConnect client.
Table 3-10 Certificate Store Parameters in the AnyConnect Local Policy
Parameter and Description Values and Value Formats
ExcludeFirefoxNSSCertStore (Linux and Mac)
Permits or excludes the client from using the Firefox NSS certificate store to verify server certificates. The store has information about where to obtain certificates for client certificate authentication.
true—Excludes the Firefox NSS certificate store.
false—Permits the Firefox NSS certificate store (default).
ExcludePemFileCertStore (Linux and Mac)
Permits or excludes the client from using the PEM file certificate store to verify server certificates. The store uses FIPS-capable OpenSSL and has information about where to obtain certificates for client certificate authentication. Permitting the PEM file certificate store ensures remote users are using a FIPS-compliant certificate store.
true—Excludes the PEM file certificate store.
false—Permits the PEM file certificate store (default).
ExcludeMacNativeCertStore (Mac only)
Permits or excludes the client from using the Mac native (keychain) certificate store to verify server certificates.
true—Excludes the Mac native certificate store.
false—Permits the Mac native certificate store (default).
ExcludeWinNativeCertStore (Windows only, currently not supported)
Permits or excludes the client from using the Windows Internet Explorer native certificate store to verify server certificates.
true—Excludes the Windows Internet Explorer certificate store.
false—Permits the Windows Internet Explorer certificate store (default).
• Provisioning and Renewing Certificates Automatically or Manually, page 3-32
• Configuring SCEP Protocol to Provision and Renew Certificates, page 3-33
• Certificate Storage after SCEP Request, page 3-38
• Configuring the ASA to Support SCEP Protocol for AnyConnect, page 3-38
Provisioning and Renewing Certificates Automatically or ManuallyYou can configure SCEP requests so that either AnyConnect initiates certificate requests automatically or users initiate certificate requests manually.
Automatic Certificate Requests
AnyConnect attempts to automatically retrieve new certificates in two cases. For both cases, client certificate authentication must fail before AnyConnect tries to automatically retrieve the new certificates.
The first case is when users attempt to connect to a group-url which is identified in the <AutomaticSCEPHost> element of their client profile. AnyConnect initiates the SCEP certificate request after a VPN, based on the SCEP-enabled group-url, has been established.
The user may be prompted for a Certificate ID. The Certificate ID is the challenge password or token to be offered to the certificate authority that identifies the user to the certificate authority. With this ID and the other data in the SCEP section of the profile, AnyConnect contacts the certificate authority and continues with the SCEP retrieval process. If the PromptForChallengePW attribute of the <CAURL> element is enabled in the client profile, AnyConnect prompts users for a Certificate ID.
The second method for triggering automatic certificate retrieval is the case where the <CertificateSCEP> element is not defined in the client profile. In this case, the user attempts to connect using a connection profile that has been setup to support access to a certificate authority. Once the VPN has been activated, AnyConnect searches the client profile, downloaded as part of the VPN activation, to see if the group-url chosen for the connection is found in the client profile.
If AnyConnect finds the group-url in the <AutomaticSCEPHost> element of the client profile, this triggers the automatic SCEP retrieval process in the same manner as described in the previous method.
Manual Certificate Retrieval
Users initiate requests for new certificates by clicking the Get Certificate or Enroll button on the AnyConnect interface. AnyConnect presents these buttons to users in either of these circumstances, as long as the SCEP section of the AnyConnect profile is configured:
• When the ASA requests a certificate and none of the certificates on the host are available are accepted
• When the current certificate used by AnyConnect has expired
Users will only be able to initiate the certificate request in one of the following instances:
• The host has direct access to the certificate authority
• The certificate authority is publicly available
• The host already has an established VPN tunnel which gives it access to the certificate authority
• The URL of the certificate authority is defined in the client profile in the <CAURL> element
Figure 3-11 Get Certificate and Enroll Buttons
Windows Certificate Warning
When Windows clients first attempt to retrieve a certificate from the certificate authority, either manually or automatically, they may see a warning like the one in Figure 3-12. When prompted, users must click Yes. This allows them to receive the user certificate and the root certificate. Clicking No will only allow them to receive the user certificate and they may not be able to authenticate.
Figure 3-12 Windows Certificate Security Warning
Configuring SCEP Protocol to Provision and Renew Certificates The AnyConnect client retrieves certificates using the SCEP protocol if the <CertificateSCEP> element is defined in a client profile, the client profile is specified in a group policy, and the group policy is specified in users’ connection profile.
Table 3-11 describes the elements in the client profile used to configure SCEP. Example 3-1 shows a sample of the SCEP elements in a client profile.
See Configuring and Deploying the AnyConnect Client Profile, page 3-2 for more information about how to configure a client profile.
Table 3-11 Elements in the client profile file used to configure SCEP
Element name Child of Description
CertificateEnrollment ClientInitialization Starting tag for certificate enrollment.
CertificateExpirationThreshold CertificateEnrollment Note This parameter is not supported in Anyconnect 2.4.
Specifies the number of days prior to the certificate’s expiration date, that AnyConnect warns users that their certificate is going to expire.
Default: 0
Range of Values: 0-180
The default value for this element is 0 which means no warning will be displayed. The maximum value is 180 days prior to the certificate expiring.
In the following example, CertificateExpirationThreshold is set to 14 days.
Note CertificateExpirationThreshold is only supported when SCEP is disabled. SCEP is disabled when there is no <CertificateSCEP> element defined in the client profile.
AutomaticSCEPHost CertificateEnrollment The host will attempt automatic certificate retrieval if this attribute specifies the ASA host name and connection profile (tunnel group) for which SCEP certificate retrieval is configured.
Permitted values:
• Fully qualified domain name of the ASA\connection profile name
• IP Address of the ASA\connection profile name
In the following example, the AutomaticSCEPHost field specifies, asa.cisco.com as the host name of the ASA and scep_eng as the name of the connection profile (tunnel group) configured for SCEP certificate retrieval.
CAURL CertificateEnrollment Identifies the SCEP CA server.
Permitted values: Fully qualified domain name or IP Address of CA server.
In the following example, the CAURL field identifies http://ca01.cisco.com as the name of the SCEP CA server.
Attributes of CAURL:
PromptForChallengePW: Used for manual get certificate requests. After the user clicks Get Certificate, they will be prompted for their username and one time password.
Permitted values: true, false
The PromptForChallengePW attribute in the example below is configured “true.”
Thumbprint: The CA’s certificate thumbprint. Use SHA1 or MD5 hashes. The Thumbprint attribute in the example below is 8475B661202E3414D4BB223A464E6AAB8CA123AB.
Note Obtain the CA URL and thumbprint, from your CA server administrator. The CA server administrator should retrieve the thumbprint directly from the server and not from a “fingerprint” or “thumbprint” attribute field in a certificate it issued.
CertificateSCEP CertificateEnrollment Section that defines how the contents of the certificate will be requested. See the CertificateSCEP element in the following example.
CADomain CertificateSCEP Domain of the certificate authority.
In the following example, the CADomain is cisco.com.
Name_CN CertificateSCEP Common Name in the certificate.
In the following example, Name_CN is %USER% which corresponds to the user’s ASA username login credential.
Department_OU CertificateSCEP Department name specified in certificate.
Company_O CertificateSCEP Company name specified in certificate.
State_ST CertificateSCEP State identifier named in certificate.
Country_C CertificateSCEP Country identifier named in certificate.
Email_EA CertificateSCEP Email address.
In the following example, Email_EA is %USER%@cisco.com. %USER% corresponds to the user’s ASA username login credential.
Domain_DC CertificateSCEP Domain component. In the following example, Domain_DC is set to cisco.com.
Table 3-11 Elements in the client profile file used to configure SCEP
DisplayGetCertButton CertificateSCEP Determines if the AnyConnect GUI displays the Get Certificate button. Administers may choose to configure this button if they think it will give their users a clearer understanding of what they are doing when interacting with the AnyConnect interface. Without this button, users see a button labeled “Enroll” along with a message box that AnyConnect is contacting the certificate authority to attempt certificate enrollment.
Default value: false
Range of Values: true, false
If the DisplayGetCertButton attribute is set to false, the Get Certificate button will not be visible in the AnyConnect GUI. Choose false if you do not permit users to manually request provisioning or renewal of authentication certificates.
If the DisplayGetCertButton attribute is set to true, the Get Certificate button will be visible to users after the certificate has expired or if no certificate is present. Choose true if you permit users to manually request provisioning or renewal of authentication certificates. Typically, these users will be able to reach the certificate authority without first needing to create a VPN tunnel.
In the following example, DisplayGetCertButton is set to false.
ServerList AnyConnectProfile Starting tag for the server list. The server list is presented to users when they first launch AnyConnect. Users can choose which ASA to login to. See ServerList in the following example.
HostEntry ServerList Starting tag for configuring an ASA. Look at the second HostEntry element in the following example.
HostName HostEntry Host name of the ASA. In the second HostEntry element in the following example, the HostName element is Certificate Enroll.
HostAddress HostEntry Fully qualified domain name of the ASA. In the second HostEntry element in the following example, the HostAddress element is set to ourasa.cisco.com.
Table 3-11 Elements in the client profile file used to configure SCEP
Example 3-1 Example of SCEP Elements in User Profile
Note The AnyConnect profile fails XML validation if the tags are not presented in the appropriate order. Consult the AnyConnectProfile.xsd which is installed as part of the AnyConnect installation.
AutomaticSCEPHost HostEntry This element has the same definition and permitted values as the one described earlier in this table. However, if this element is configured, and the user chooses this HostEntry from the server list, this value overrides the value of AutomaticSCEPHost configured earlier in the user profile file.
In the following example, for this HostEntry, AutomaticSCEPHost is set to ourasa.cisco.com/scep_eng.
CAURL HostEntry This element has the same definition, permitted values, and attributes as the one described earlier in this table. However, if this element is configured, and the user chooses this HostEntry from the server list, this value overrides the value of CAURL configured earlier in the user profile file.
In the following example, for this HostEntry, CAURL is set to http://ca02.cisco.com.
Table 3-11 Elements in the client profile file used to configure SCEP
Note Do not cut and paste the examples from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor such as Notepad or Wordpad.
Certificate Storage after SCEP RequestCertificates obtained through a SCEP request are stored in the users personal certificate store. In addition, if the user has sufficient privileges on Windows desktop platforms, the certificate is also saved to the machine store. On MAC platforms, certificates obtained through a SCEP request are only added to the “login” keychain. On Linux, we support the Firefox browser certificate store.
Configuring the ASA to Support SCEP Protocol for AnyConnectTo provide access to a private Registration Authority (RA), the ASA administrator should create a group-url that has an ACL restricting private side network connectivity to the desired RA. To automatically retrieve a certificate, users would then connect and authenticate to this group-url.
Once users have authenticated to this group-url, AnyConnect downloads the client profile assigned to the connection profile. The client profile contains a <CertificateEnrollment> section. With the information in this section, the client automatically connects to the certificate authority specified in the <CAURL> element of the client profile and initiates certificate enrollment. ASA administrators need to perform these configuration tasks:
• Create a group-url on the ASA to point to the specially configured group.
• Specify the group-url in the <AutomaticSCEPHost> element in the user’s client profile.
• Attach the client profile containing the <CertificateEnrollment> section to the specially configured group.
• Set an ACL for the specially configured group to restrict traffic to the private side RA.
To keep the SCEP enabled group from being exposed to the user, is should not be “enabled” on the ASA. With the described implementation it is not necessary to expose the group to users for them to have access to it.
Configuring Certificate Only Authentication on the ASA
To support certificate-only authentication in an environment where multiple groups are used, an administrator may provision more than one group-url. Each group-url would contain a different client profile with some piece of customized data that would allow for a group-specific certificate map to be created. For example, the Department_OU value of Engineering could be provisioned on the ASA to place the user in this group when the certificate from this process is presented to the ASA.
Configuring Certificate MatchingThe AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:
Certificate Key Usage MatchingCertificate key usage offers a set of constraints on the broad types of operations that can be performed with a given certificate. The supported set includes:
• DIGITAL_SIGNATURE
• NON_REPUDIATION
• KEY_ENCIPHERMENT
• DATA_ENCIPHERMENT
• KEY_AGREEMENT
• KEY_CERT_SIGN
• CRL_SIGN
• ENCIPHER_ONLY
• DECIPHER_ONLY
The profile can contain none or more matching criteria. If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate.
The example in Certificate Matching Example, page 3-41 shows how you might configure these attributes.
Extended Certificate Key Usage MatchingThis matching allows an administrator to limit the certificates that can be used by the client, based on the Extended Key Usage fields. Table 3-12 lists the well known set of constraints with their corresponding object identifiers (OIDs).
All other OIDs, such as 1.3.6.1.5.5.7.3.11, used in some examples in this document) are considered “custom.” As an administrator, you can add your own OIDs if the OID you want is not in the well known set. The profile can contain none or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. See the example AnyConnect profile named AnyConnectProfile.tmpl, which the AnyConnect client automatically downloads to the endpoint.
Certificate Distinguished Name MappingThe certificate distinguished name mapping capability allows an administrator to limit the certificates that can be used by the client to those matching the specified criteria and criteria match conditions. Table 3-13 lists the supported criteria:
Table 3-13 Criteria for Certificate Distinguished Name Mapping
The profile can contain zero or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. Distinguished Name matching offers additional match criteria, including the ability for the administrator to specify that a certificate must or must not have the specified string, as well as whether wild carding for the string should be allowed. See the example AnyConnect profile named AnyConnectProfile.tmpl, which the AnyConnect client automatically downloads to the endpoint.
Certificate Matching Example
Note In this and all subsequent examples, the profile values for KeyUsage, ExtendedKeyUsage, and DistinguishedName are just examples. You should configure only the CertificateMatch criteria that apply to your certificates.
The following example shows how to enable the attributes that you can use to refine client certificate selection.
<CertificateMatch> <!-- Specifies Certificate Key attributes that can be used for choosing acceptable client certificates. -->
</ExtendedKeyUsage> <!-- Certificate Distinguished Name matching allows for exact match criteria in the choosing of acceptable client certificates. -->
Within the ClientInitialization section, the CertificateMatch section defines preferences that refine client certificate selection. Except as noted, these parameters do not have default values; that is, if you do not specify a parameter, it is simply not in effect. Table 3-14 summarizes these parameters and defines their possible values.
Include the CertificateMatch section in a profile only if certificates are used as part of authentication. Only those CertificateMatch subsections (KeyUsage, ExtendedKeyUsage and DistinguishedName) that are needed to uniquely identify a user certificate should be included in the profile. The data in any of these sections should be specific to the user certificate to be matched.
Table 3-14 Certificate Match Parameters
XML Tag Name Possible Values Description Example
CertificateMatch n/a Group identifier <CertificateMatch>...</CertificateMatch>
KeyUsage n/a Group identifier, subordinate to CertificateMatch. Use these attributes to specify acceptable client certificates.
Within the KeyUsage group, MatchKey attributes specify attributes that can be used for choosing acceptable client certificates. Specify one or more match keys. A certificate must match at least one of the specified key to be selected.
Within the ExtendedKeyUsage group, ExtendedMatchKey specifies attributes that can be used for choosing acceptable client certificates. Specify zero or more extended match keys. A certificate must match all of the specified key(s) to be selected.
Well-known MIB OID values, such as1.3.6.1.5.5.7.3.11
Within the ExtendedKeyUsage group, you can specify zero or more custom extended match keys. A certificate must match all of the specified key(s) to be selected. The key should be in OID form (for example, 1.3.6.1.5.5.7.3.11)
DistinguishedName n/a Group identifier. Within the DistinguishedName group, Certificate Distinguished Name matching lets you specify match criteria for choosing acceptable client certificates.
<DistinguishedName>...</DistinguishedName>
Table 3-14 Certificate Match Parameters (continued)
DistinguishedNameDefinition specifies a set of operators used to define a single Distinguished Name attribute to be used in matching. The Operator specifies the operation to use in performing the match. MatchCase specifies whether the pattern matching is case sensitive.
Name CNDCSNGNNIGENQDNQCLSPSTOOUTEAISSUER-CNISSUER-DCISSUER-SNISSUER-GNISSUER-NISSUER-IISSUER-GENQISSUER-DNQISSUER-CISSUER-LISSUER-SPISSUER-STISSUER-OISSUER-OUISSUER-TISSUER-EA
A DistinguishedName attribute name to be used in matching. You can specify up to 10 attributes.
Pattern A string (1-30 characters) enclosed in double quotes. With wildcards enabled, the pattern can be anywhere in the string.
Specifies the string (pattern) to use in the match. Wildcard pattern matching is disabled by default for this definition.
Table 3-14 Certificate Match Parameters (continued)
Prompting Users to Select Authentication CertificateIn previous releases, when users authenticated their AnyConnect session using a certificate, AnyConnect provided the matching certificate without involving the user. Starting in this release, AnyConnect can be configured to present users with a list of valid certificates and allow them to choose the certificate with which they want to authenticate their session.
This configuration is available only for Windows 7, Vista, and XP.
Configuring the Client Profile with AutomaticCertSelectionTo allow users to choose their authentication certificate, AnyConnect Administrators must provide the users with a client profile that has the <AutomaticCertSelection> element set to false. See Configuring and Deploying the AnyConnect Client Profile, page 3-2 to learn how to edit and distribute the client profile.
Here is the description of the <AutomaticCertSelection> element and an example of how it appears in the client profile.
Table 3-15 AutomaticCertSelection element description
Figure 3-13 AutomaticCertSelection element in client profile
Caution Do not cut and paste the examples from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor.
Element name Child of Description
AutomaticCertSelection ClientInitialization Allows or prevents users from selecting the certificate used to authenticate their AnyConnect session. Presence of this field exposes the Automatic certificate selection checkbox in the AnyConnect Preferences dialog box.
Permitted Values:
• true - Set the value to true to allow AnyConnect to automatically select the authentication certificate.
• false - Set the value to false to prompt the user to select the authentication certificate.
Users Configuring Automatic Certificate Selection in AnyConnect PreferencesThe presence of the <AutomaticCertSelection> element in the client profile, exposes the Automatic certificate selection checkbox in the AnyConnect Preferences dialog box. Users will be able to turn Automatic certificate selection on and off by checking or unchecking Automatic certificate selection.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Backup Server List Parameters
Configuring Backup Server List ParametersYou can configure a list of backup servers the client uses in case the user-selected server fails. These servers are specified in the AnyConnect client profile, in the ClientInitialization section. In some cases, the BackupServerList might specify host specific overrides.
These parameters do not have default values; that is, if you do not specify a parameter, it is simply not in effect. Table 3-16 lists these parameters and defines their possible values.
Note Include the BackupServerList section in a profile only if you want to specify backup servers.
Installing AnyConnect on a Windows Mobile DeviceThe security appliance does not support WebLaunch of AnyConnect on mobile devices. Just as you can do so with corporate computers, you can pre-deploy AnyConnect on Windows Mobile devices issued to employees. Otherwise, mobile users must download and install AnyConnect Client for Windows Mobile.
Perform the following steps to download and install AnyConnect Client for Windows Mobile.
Step 1 Download any of the following files from the Cisco AnyConnect VPN Client Download Software site to get the Windows Mobile Client:
• File containing all client installation packages: anyconnect-all-packages—AnyConnectRelease_Number-k9.zip
• CAB package signed by Cisco for Windows Mobile devices: anyconnect-wince-ARMv4I-AnyConnectRelease_Number-k9.cab
• ActiveSync MSI package for Windows Mobile platforms: anyconnect-wince-ARMv4I-activesync-AnyConnectRelease_Number-k9.msi
Step 2 Unzip the anyconnect-all-packages—AnyConnectRelease_Number-k9.zip file if you chose to download that file.
Step 3 Transfer the file to a corporate server if you want to provide users with a link to the client.
Step 4 Make sure the Windows Mobile device meets the system requirements in the latest AnyConnect Release Notes.
Step 5 Use your preferred method to transfer the .cab or .msi file from your intranet server or local computer to the mobile device. Some examples include:
• Microsoft ActiveSync over radio
• HTTP, FTP, SSH, or shared files over the LAN or radio
Table 3-16 Backup Server Parameters
Name Possible Values Description Examples
BackupServerList n/a Group identifier <BackupServerList>...</BackupServerList>
HostAddress An IP address or a Full-Qualified Domain Name (FQDN)
Specifies a host address to include in the backup server list.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Windows Mobile Policy
• Bluetooth
• (USB) Cable
• Media card transfer
Step 6 Use the mobile device to open the file you transferred, and proceed with the installation wizard.s
Configuring a Windows Mobile PolicyTo allow end users to connect using Windows Mobile devices, configure the Mobile Policy parameters. These parameters apply only to Windows Mobile devices. Include them only if your end users use Windows Mobile. See the latest AnyConnect Release Notes for detailed, current information about Windows Mobile device support.
Note Windows Mobile Policy enforcement is supported only on Windows Mobile 5, Windows Mobile 5+AKU2, and Windows Mobile 6. It is not supported on Windows Mobile 6.1. Attempts to connect to a secure gateway that is configured to require a security policy that cannot be enforced will fail. In environments containing Windows Mobile 6.1 devices, administrators should either create a separate group for Windows Mobile 6.1 users that does not contain Mobile Policy enforcement or disable Mobile Policy enforcement on the secure gateway.
The following attributes can be specified to check additional settings. The platforms for which each additional check is performed are specified with “WM5AKU2+” for Windows Mobile 5 with the Messaging and Security Feature Pack, delivered as part of Adaption Kit Upgrade 2 (AKU2).
Note This configuration merely validates the policy that is already present; it does not change it.
Table 3-17 shows the MobilePolicy parameters and their values.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Windows Mobile Policy
Table 3-17 Mobile Policy Parameters
Parameter Possible Values Description Example
MobilePolicy n/a Group identifier. <MobilePolicy>...</MobilePolicy>
DeviceLockRequired n/a Group identifier. Within the MobilePolicy group, DeviceLockRequired indicates that a Windows Mobile device must be configured with a password or PIN prior to establishing a VPN connection. This configuration is valid only on Windows Mobile devices that use the Microsoft Default Local Authentication Provider (LAP).
Note The AnyConnect client supports Mobile Device Lock on Windows Mobile 5.0, WM5AKU2+, and Windows Mobile 6.0, but not on Windows Mobile 6.1.
Within the DeviceLockRequired group, this parameter, when set to a non-negative number, specifies the maximum number of minutes that must be configured before device lock takes effect.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Windows Mobile Policy
Note Check with your service provider regarding your data plan before using AnyConnect for Windows Mobile, as you might incur additional charges if you exceed the data usage limits of your plan.
MinimumPasswordLength Any non-negative integer
Within the DeviceLockRequired group, when set to a non-negative number, this parameter specifies that any PIN/password used for device locking must have at least the specified number of characters.
This setting must be pushed down to the mobile device by syncing with an Exchange server before it can be enforced. (WM5AKU2+)
PasswordComplexity "alpha"-Requires an alphanumeric password.
"pin"-Requires a numeric PIN.
"strong"-Requires a strong alphanumeric password, defined by Microsoft as containing at least 7 characters, including at least 3 from the set of uppercase, lowercase, numerals, and punctuation.
When present checks for the password subtypes listed in the column to the left.
This setting must be pushed down to the mobile device by syncing with an Exchange server before it can be enforced. (WM5AKU2+)
Step 2 Download the 32-bit version of FireFox from http://www.mozilla.com and install it on /usr/local/firefox.
The client looks in this directory first for the NSS crypto libraries it needs.
Step 3 Enter the following command to extract the Firefox installation to the directory indicated:
administrator@ubuntu-904-64:/usr/local$ sudo tar -C /usr/local -xvjf ~/Desktop/firefox-version.tar.bz2
Step 4 Run Firefox at least once as the user who will use AnyConnect.
Doing so creates the .mozilla/firefox profile in the user's home directory, which is required by AnyConnect for interacting with the Firefox certificate store.
Step 5 Install the AnyConnect client in standalone mode.
Using the Manual Install Option on Mac OS if the Java Installer Fails
If you use WebLaunch to start AnyConnect on a Mac and the Java installer fails, a dialog box presents a Manual Install link. Proceed as follows:
Step 1 Click Manual Install.
A dialog box presents the option to save the vpnsetup.sh file.
Step 2 Save the vpnsetup.sh file on the Mac.
Step 3 Open a Terminal window and use the CD command to navigate to the directory containing the file saved.
Step 4 Enter the following command:
sudo /bin/sh vpnsetup.sh
The vpnsetup script starts the AnyConnect installation.
Step 5 Following the installation, choose Applications > Cisco > Cisco AnyConnect VPN Client to initiate an AnyConnect VPN session.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Auto Connect On Start
Configuring Auto Connect On StartBy default, AnyConnect, when started, automatically establishes a VPN connection with the secure gateway specified by the AnyConnect client profile. Upon connecting, AnyConnect replaces the local profile with the one provided by the secure gateway if the two do not match, and applies the settings of that profile.
To modify the default auto connect settings, insert the <AutoConnectOnStart> tag into the <ClientInitialization> section of the client profile.
If you disable auto connect and the user starts AnyConnect, the AnyConnect GUI displays the settings configured by default as user-controllable. The user must select the name of the secure gateway in the Connect to drop-down list in the AnyConnect GUI and click Connect. Upon connecting, AnyConnect applies the settings of the AnyConnect client profile provided by the security appliance.
Table 3-18 shows the information about the <AutoConnectOnStart> tag.
Table 3-18 AutoConnectOnStart tag
XML Tag Name Default Value1
1. AnyConnect uses the default value if the profile does not specify one.
Possible Values2
2. Insert the parameter value between the beginning and closing tags; for example, <AutoConnectOnStart>true</AutoConnectOnStart>.
User ControllableUser Controllable by Default3
3. The AnyConnect Preferences dialog box displays the parameter values and lets users change them, depending on the value of the associated user control attribute. The user control attribute is optional. If you do not insert it, AnyConnect uses its default value. To permit or deny user control, insert the user control attribute inside the opening tag; for example, <AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Auto Reconnect
Configuring Auto ReconnectAnyConnect supports two XML tags for configuring auto reconnect behaviors, as follows:
• AutoReconnect—By default, AnyConnect attempts to reestablish a VPN connection if you lose connectivity. The default setting of this tag is true.
• AutoReconnectBehavior—By default, AnyConnect releases the resources assigned to the VPN session upon a system suspend and does not attempt to reconnect after the system resume. The default setting of this tag is DisconnectOnSuspend.
A system suspend is a low-power standby, Windows “hibernation,” or Mac OS or Linux “sleep.” A system resume is a recovery following a system suspend.
Note Before AnyConnect 2.3, the default behavior in response to a system suspend was to retain the resources assigned to the VPN session and reestablish the VPN connection after the system resume. To retain that behavior, assign the value ReconnectAfterResume to the AutoReconnectBehavior tag.
Unlike the IPsec client, AnyConnect can recover from VPN session disruptions. AnyConnect can reestablish a session, regardless of the media used for the initial connection. For example, it can reestablish a session on wired, wireless, or 3G.
To modify the Auto Reconnect setting, insert the <AutoReconnect> tag into the <ClientInitialization> section of the client profile. The following example shows how to disable the AnyConnect VPN reconnect if it loses connectivity, and makes the behavior user-controllable:
Note If you disable Auto Reconnect, AnyConnect does not attempt to reconnect, regardless of the cause of the disconnection.
To configure the behavior in response to a system resume, you must enable Auto Reconnect, even though Auto Reconnect is already enabled by default. Insert the <AutoReconnectBehavior> tag inside the <AutoReconnect> tag. The following example shows how to enable the AnyConnect VPN reconnect behavior after a system resume, and to make both behaviors user-controllable:
Installing Host ScanTo reduce the chances of intranet infection by hosts establishing VPN connections, you can configure Host Scan to download and check for antivirus, antispyware, and firewall software; and associated definitions file updates as a condition for the establishment of an AnyConnect session. Host Scan is part of Cisco Secure Desktop (CSD). Although CSD works with AnyConnect, it is a different product and is beyond the scope of this document. To learn about and install CSD, see the Release Notes for Cisco Secure Desktop and the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
Configuring a Server ListOne of the main uses of the profile is to let the user list the connection servers. The user then selects the appropriate server. This server list consists of host name and host address pairs. The host name can be an alias used to refer to the host, an FQDN, or an IP address. If an FQDN or IP address is used, a HostAddress element is not required. In establishing a connection, the host address is used as the
Table 3-19 AutoReconnect and AutoReconnectBehavior Client Initialization Tags
Tag Default Value1
1. AnyConnect uses the default value if the profile does not specify one.
Possible Values2
2. Insert the parameter value between the beginning and closing tags; for example, <AutoReconnect>true</AutoReconnect>.
User Controllable
User Controllable by Default3
3. The AnyConnect Preferences dialog box displays the parameter values and lets users change them, depending on the value of the associated user control attribute. The user control attribute is optional. If you do not insert it, AnyConnect uses its default value. To permit or deny user control, insert the user control attribute inside the opening tag; for example, <AutoReconnect UserControllable="true">true</AutoReconnect>.
OSs Supported
AutoReconnect true true—Client retains resources assigned to the VPN session if it is disrupted, and attempts to reconnect.
false—Client releases resources assigned to the VPN session if it is interrupted and does not attempt to reconnect.
Yes No All
AutoReconnectBehavior Note: Applies only if AutoReconnect is true.
DisconnectOnSuspend ReconnectAfterResume—Client retains resources assigned to the VPN session during a system suspend. The client attempts to reconnect after the system resume.
DisconnectOnSuspend—Client releases resources assigned to the VPN session upon a system suspend. The client does not attempt to reconnect after the system resume.
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Server List
connection address unless it is not supplied. This allows the host name to be an alias or other name that need not be directly tied to a network addressable host. If no host address is supplied, the connection attempt tries to connect to the host name.
As part of the definition of the server list, you can specify a default server. This default server is identified as such the first time a user attempts a connection using the client. If a user connects with a server other than the default then for this user, the new default is the selected server. The user selection does not alter the contents of the profile. Instead, the user selection is entered into the user preferences.
See the example AnyConnect profile named AnyConnectProfile.tmpl, which the AnyConnect client automatically downloads to the endpoint.
Table 3-20 lists the ServerList parameters and their values. In this table the referenced tag name is in bold type. The values in these examples are only for demonstration purposes. Do not use them in your own configuration.
Table 3-20 Server List Parameters
XML Tag Name Possible Values Description Example
ServerList n/a Group identifier <ServerList> <HostEntry> <HostName>ASA-01</HostName> <HostAddress>cvc-asa01.cisco.com
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring a Server List
HostName An alias used to refer to the host or an FQDN or IP address. If this is an FQDN or IP address, a HostAddress is not required.
Within the HostEntry group, the HostName parameter specifies a name of a host in the server list. If an FQDN or IP address is used, a HostAddress is not required.
HostAddress An IP address or Full-Qualified Domain Name (FQDN) used to refer to the host. If HostName is an FQDN or IP address, a HostAddress is not required.
Group identifier, subordinate to CertificateMatch. Use these attributes to choose acceptable client certificates.
UserGroup The tunnel group to use when connecting to the specified host. This parameter is optional.
Within the ServerList group, the UserGroup, parameter, if present, is used in conjunction with HostAddress to form a Group-based URL. If you use this option in the profile, the corresponding tunnel group must have a group-url defined as well.
Note Group based URL support requires ASA version 8.0.3, or later.
Chapter 3 Configuring AnyConnect Client FeaturesSplit DNS Fallback
Split DNS FallbackIf the group policy on the security appliance specifies the names of the domains to be tunneled, AnyConnect Client tunnels only DNS queries that match those domains. It refuses all other DNS queries. The DNS resolver receives the refusal from the client and retries, this time using the public interface instead of AnyConnect Client.
This feature requires that you:
• Configure at least one DNS server
• Enable split-tunneling
To use this feature, establish an ASDM connection to the security appliance, choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies> Add or Edit > Advanced > Split Tunneling, and enter the names of the domains to be tunneled into the DNS Names text box.
ScriptingAnyConnect lets you download and run scripts when the following events occur:
• Upon the establishment of a new AnyConnect client VPN session with the security appliance. We refer to a script triggered by this event as an OnConnect script because it requires this filename prefix.
• Upon the tear-down of an AnyConnect client VPN session with the security appliance. We refer to a script triggered by this event as an OnDisconnect script because it requires this filename prefix.
Thus, the establishment of a new AnyConnect VPN session initiated by Trusted Network Detection triggers the OnConnect script (assuming the requirements are satisfied to run the script). The reconnection of a persistent AnyConnect VPN session after a network disruption does not trigger the OnConnect script.
Some examples that show how you might want to use this feature include:
• Refreshing the group policy upon VPN connection.
• Mapping a network drive upon VPN connection, and un-mapping it after disconnection.
• Logging on to a service upon VPN connection, and logging off after disconnection.
These instructions assume you know how to write scripts and run them from the command line of the targeted endpoint to test them.
Note The AnyConnect software download site provides some example scripts; if you examine them, please remember that they are only examples; they may not satisfy the local computer requirements for running them, and are unlikely to be usable without customizing them for your network and user needs. Cisco does not support example scripts or customer-written scripts.
Scripting Requirements and LimitationsAnyConnect runs up to one OnConnect and up to one OnDisconnect script, but these scripts may launch other scripts.
AnyConnect does not require the script to be written in a specific language, but does require an application that can run the script to be installed on the client computer. Thus, for AnyConnect to launch the script, the script must be capable of running from the command line.
AnyConnect supports script launching on all Microsoft Windows, Mac OS X, and Linux platforms supported by AnyConnect. Microsoft Windows Mobile does not provide native support for scripting languages; however, you can create and automatically run an OnConnect application and an OnDisconnect application as long as it complies with the AnyConnect scripting filename prefix and directory requirements.
On Microsoft Windows, AnyConnect can only launch scripts after the user logs onto Windows and establishes a VPN session. Thus, the restrictions imposed by the user’s security environment apply to these scripts; scripts can only execute functions that the user has rights to invoke. AnyConnect hides the cmd window during the execution of a script on Windows, so executing a script to display a message in a .bat file for testing purposes does not work.
AnyConnect supports script launching during WebLaunch and standalone launches.
By default, AnyConnect does not launch scripts. Use the AnyConnect profile EnableScripting parameter to enable scripts. AnyConnect does not require the presence of scripts if you do so.
Client GUI termination does not necessarily terminate the VPN session; the OnDisconnect script runs after session termination.
Other requirements apply, as indicated in the next section.
Writing, Testing, and Deploying ScriptsDeploy AnyConnect scripts as follows:
Step 1 Write and test the script using the OS type on which it will run when AnyConnect launches it.
Note Scripts written on Microsoft Windows computers have different line endings than scripts written on Mac OS and Linux. Therefore, you should write and test the script on the targeted OS. If a script cannot run properly from the command line on the native OS, AnyConnect cannot run it properly either.
Step 2 Do one of the following to deploy the scripts:
• Use ASDM to import the script as a binary file to the security appliance. Go to Network (Client) Access > AnyConnect Customization/Localization > Script.
Note Microsoft Windows Mobile does not support this option. You must deploy scripts using the manual method for this OS.
If you use ASDM version 6.3.1 or later, the security appliance adds the prefix scripts_ and the prefix OnConnect or OnDisconnect to your filename to identify the file as a script. When the client connects, the security appliance downloads the script to the proper target directory on the remote
computer, removing the scripts_ prefix and leaving the remaining OnConnect or OnDisconnect prefix. For example, if you import the script myscript.bat, the script appears on the security appliance as scripts_OnConnect_myscript.bat. On the remote computer, the script appears as OnConnect_myscript.bat.
If you use an ASDM version earlier than 6.3.1, you must import the scripts with the following prefixes:
– scripts_OnConnect
– scripts_OnDisconnect
To ensure the scripts run reliably, configure all security appliances to deploy the same scripts. If you want to modify or replace a script, use the same name as the previous version and assign the replacement script to all of the security appliances that the users might connect to. When the user connects, the new script overwrites the one with the same name.
• Or transfer the scripts manually to the VPN endpoints on which you want to run the them.
If you use this method, use the script filename prefixes below.
– OnConnect
– OnDisconnect
Install the scripts in the directory shown in Table 3-21.
Table 3-21 Required Script Locations
OS Directory
Microsoft Windows 7 and Vista %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect VPN Client\Script
Microsoft Windows XP %ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect VPN Client\Script
Linux
(On Linux, assign execute permissions to the file for User, Group and Other.)
/opt/cisco/vpn/script
Mac OS X /opt/cisco/vpn/script
Windows Mobile %PROGRAMFILES%\Cisco AnyConnect VPN Client\Script
Configuring the AnyConnect Profile for ScriptingTo enable scripting you must insert the EnableScripting parameter into the AnyConnect profile. Table 3-22 describes the scripting parameters you can insert into the AnyConnect profile. Examples follow the table.
Insert these parameters anywhere inside the ClientInitialization section of the AnyConnect profile.
This example enables scripting and uses the default values for the other scripting parameters:
<ClientInitialization>
<EnableScripting>true</EnableScripting>
Table 3-22 Scripting Parameters
Name Possible Values and Descriptions
EnableScripting true—Launches OnConnect and OnDisconnect scripts if present.
false—(Default) Does not launch scripts.
UserControllable Note: If used, this parameter must be embedded within the EnableScripting tag, as shown in the second example below this table.
The possible values are:
• true—Lets users enable or disable the running of OnConnect and OnDisconnect scripts.
• false—(Default) Prevents users from controlling the scripting feature.
TerminateScriptOnNextEvent This parameter has meaning only if the EnableScripting is set to true.
Note: If used, this parameter must be embedded within the EnableScripting tag, as shown in the second example below this table.
The possible values are:
• true—Terminates a running script process if a transition to another scriptable event occurs. For example, AnyConnect terminates a running OnConnect script if the VPN session ends, and terminates a running OnDisconnect script if AnyConnect starts a new VPN session. On Microsoft Windows, AnyConnect also terminates any scripts that the OnConnect or OnDisconnect script launched, and all their script descendents. On Mac OS and Linux, AnyConnect terminates only the OnConnect or OnDisconnect script; it does not terminate child scripts.
• false—(Default) Does not terminate a script process if a transition to another scriptable event occurs.
EnablePostSBLOnConnectScript This parameter has meaning only if the EnableScripting is set to true, and only if the VPN endpoint is running Microsoft Windows 7, XP, or Vista.
Note: If used, this parameter must be embedded within the EnableScripting tag, as shown in the second example below this table.
The possible values are:
• false—Prevents launching of the OnConnect script if SBL establishes the VPN session.
• true—(Default) Launches the OnConnect script if present if SBL establishes the VPN session.
Note Be sure to add the AnyConnect profile to the security appliance group policy to download it to the VPN endpoint.
Troubleshooting ScriptsIf a script fails to run, try resolving the problem as follows:
Step 1 Make sure the script has an OnConnect or OnDisconnect prefix name. Table 3-22 shows the required scripts directory for each OS.
Step 2 Try running the script from the command line. AnyConnect cannot run the script if it cannot run from the command line. If the script fails to run on the command line, make sure the application that runs the script is installed, and try rewriting the script on that OS.
Step 3 Make sure the scripts directory on the VPN endpoint contains only one OnConnect and only one OnDisconnect script. If one security appliance downloads one OnConnect script and during a subsequent connection a second security appliance downloads an OnConnect script with a different filename suffix, AnyConnect might run the unwanted script. If the script path contains more than one OnConnect or OnDisconnect script and you are using binary AnyConnect customization to deploy scripts, remove the contents of the scripts directory and re-establish an AnyConnect VPN session. If the script path contains more than one OnConnect or OnDisconnect script and you are using the manual deployment method, remove the unwanted scripts and re-establish an AnyConnect VPN session.
Step 4 If the OS is Linux, make sure the script file permissions are set to execute.
Step 5 Make sure the AnyConnect profile includes the EnableScripting parameter set to true.
Chapter 3 Configuring AnyConnect Client FeaturesProxy Support
Proxy SupportThe following sections describe how to use the proxy support features.
Ignore ProxyThis feature lets you specify a policy in the AnyConnect profile to bypass the Internet Explorer proxy configuration settings on the user’s PC. It is useful when the proxy configuration prevents the user from establishing a tunnel from outside the corporate network.
To enable Ignore Proxy, insert the following line into the <ClientInitialization> section of the AnyConnect profile:
<ProxySettings>IgnoreProxy</ProxySettings>
Note AnyConnect currently supports only the IgnoreProxy setting; it does not support the Native and Override settings in the new ProxySettings section within the <ClientInitialization> section of the XML schema (AnyConnectProfile.xsd).
Private ProxyYou can configure a group policy to download private proxy settings configured in the group policy to the browser after the tunnel is established. The settings return to their original state after the VPN session ends.
Private Proxy Requirements
An AnyConnect Essentials license is the minimum ASA license activation requirement for this feature.
AnyConnect supports this feature on computers running:
• Internet Explorer on Windows
• Safari on Mac OS
Configuring a Group Policy to Download a Private Proxy
To configure the proxy settings, establish an ASDM session with the security appliance and choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Advanced > Browser Proxy. ASDM versions earlier than 6.3(1) show this option as IE Browser Proxy; however, AnyConnect no longer restricts the configuration of the private proxy to Internet Explorer, regardless of the ASDM version you use.
The Do not use proxy parameter, if enabled, removes the proxy settings from the browser for the duration of the session.
Chapter 3 Configuring AnyConnect Client FeaturesAllow AnyConnect Session from an RDP Session for Windows Users
Internet Explorer Connections Tab LockdownUnder certain conditions, AnyConnect hides the Internet Explorer Tools > Internet Options > Connections tab. When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies regarding that tab. The conditions under which this lockdown occurs are either of the following:
• The security appliance configuration specifies a private-side proxy.
• AnyConnect uses a public-side proxy defined by Internet Explorer to establish the tunnel. In this case, the split tunneling policy on the security appliance must be set to Tunnel All Networks.
Proxy Auto-Configuration File Generation for Clientless SupportSome versions of the security appliance require extra AnyConnect configuration to continue to allow clientless portal access through a proxy server after establishing an AnyConnect session. AnyConnect uses a proxy auto-configuration (PAC) file to modify the client-side proxy settings to let this to occur. AnyConnect generates this file only if the ASA does not specify private-side proxy settings.
Allow AnyConnect Session from an RDP Session for Windows Users
Some customers require the ability to log on to a client PC using Windows Remote Desktop and create a VPN connection to a secure gateway from within the Remote Desktop (RDP) session. This feature allows a VPN session to be established from an RDP session. A split tunneling VPN configuration is required for this to function correctly. For information about split tunneling, see Cisco ASDM User Guide or Cisco ASA 5500 Series Command Line Configuration Guide Using the CLI.
By default, a locally logged-in user can establish a VPN connection only when no other local user is logged in. The VPN connection is terminated when the user logs out, and additional local logons during a VPN connection result in the connection being torn down. Remote logons and logoffs during a VPN connection are unrestricted.
Note With this feature, the AnyConnect client disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, the VPN connection is terminated.
The AnyConnect profile settings determine how Windows logons are treated at connection establishment and during the connection. These preferences are configurable only by the network administrator. They let customers configure the client to allow VPN connection establishment from an RDP session. The end-user does not see any changes in the AnyConnect client GUI as a result of this feature. Table 3-23 shows the preferences.
Chapter 3 Configuring AnyConnect Client FeaturesAnyConnect over L2TP or PPTP
AnyConnect over L2TP or PPTPISPs in some countries, including Israel, require support of the L2TP and PPTP tunneling protocols.
To send traffic destined for the secure gateway over a PPP connection, AnyConnect uses the point-to-point adapter generated by the external tunnel. When establishing a VPN tunnel over a PPP connection, AnyConnect must exclude traffic destined for the ASA from the tunneled traffic intended for destinations beyond the ASA. To specify whether and how to determine the exclusion route, use the PPPExclusion configuration option.
The exclusion route appears as a non-secured route in the Route Details display of the AnyConnect GUI.
The following sections describe how to set up PPP exclusion:
• Configuring AnyConnect over L2TP or PPTP
• Instructing Users to Override PPP Exclusion
Table 3-23 Windows Logon Preferences
XML Tag Name Possible Values (Defaults in Bold)
WindowsLogonEnforcement SingleLocalLogon—Allows only one local user to be logged on during the entire VPN connection. With this setting, a local user can establish a VPN connection while one or more remote users are logged on to the client PC, but if the VPN connection is configured for all-or-nothing tunneling, then the remote logon is disconnected because of the resulting modifications of the client PC routing table for the VPN connection. If the VPN connection is configured for split-tunneling, the remote logon might or might not be disconnected, depending on the routing configuration for the VPN connection. The SingleLocalLogin setting has no effect on remote user logons from the enterprise network over the VPN connection.
SingleLogon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on, either locally or remotely, when the VPN connection is being established, the connection is not allowed. If a second user logs on, either locally or remotely, during the VPN connection, the VPN connection is terminated.
When you select the SingleLogon setting, no additional logons are allowed during the VPN connection, so a remote logon over the VPN connection is not possible.
WindowsVPNEstablishment Determines the behavior of the AnyConnect client when a user who is remotely logged on to the client PC establishes a VPN connection. The possible values are:
• LocalUsersOnly—Prevents a remotely logged-on user from establishing a VPN connection. This is the same functionality as in prior versions of the AnyConnect client.
• AllowRemoteUsers—Allows remote users to establish a VPN connection. However, if the configured VPN connection routing causes the remote user to become disconnected, the VPN connection is terminated to allow the remote user to regain access to the client PC.
Remote users must wait 90 seconds after VPN establishment if they want to disconnect their remote login session without causing the VPN connection to be terminated.
On Vista, the WindowsVPNEstablishment profile setting is not currently enforced during Start Before Logon (SBL). The AnyConnect client does not determine whether the VPN connection is being established by a remote user before logon; therefore, a remote user can establish a VPN connection via SBL even when the WindowsVPNEstablishment setting is LocalUsersOnly.
Chapter 3 Configuring AnyConnect Client FeaturesAnyConnect over L2TP or PPTP
Configuring AnyConnect over L2TP or PPTPBy default, PPP Exclusion is disabled. To enable PPP exclusion, insert the PPPExclusion line shown below in bold into the <ClientInitialization> section of the AnyConnect profile (anyfilename.xml):
The PPPExclusion UserControllable value true lets users read and change the PPP exclusion settings. If you want to prevent users from viewing and changing the PPP exclusion settings, change it to false.
AnyConnect supports the following PPPExclusion values:
• Automatic—Enables PPP exclusion. AnyConnect automatically uses the IP address of the PPP server. Instruct users to change the value only if automatic detection fails to get the IP address.
• Override—Also enables PPP exclusion. If automatic detection fails to get the IP address of the PPP server, and the PPPExclusion UserControllable value is true, instruct users to follow the instructions in the next section to use this setting.
• Disabled—PPP exclusion is not applied.
To let users view and change the IP address of the security appliance used for PPP exclusion, add the PPPExclusionServerIP tag with its UserControllable value set to true, as shown in bold below:
Chapter 3 Configuring AnyConnect Client FeaturesAnyConnect over L2TP or PPTP
Instructing Users to Override PPP ExclusionIf automatic detection does not work, and the PPPExclusion UserControllable value is true, instruct the user to manually override PPP exclusion, as follows:
Step 1 Use an editor such as Notepad to open the preferences XML file.
This file is on one of the following paths on the user’s computer:
• Windows: %LOCAL_APPDATA%\Cisco\Cisco AnyConnect VPN Client\preferences.xml. For example,
– Windows Vista—C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect VPN Client\preferences.xml
– Windows XP—C:\Documents and Settings\username\Local Settings\Application Data\Cisco\Cisco AnyConnect VPN Client\preferences.xml
• Mac OS X: /Users/username/.anyconnect
• Linux: /home/username/.anyconnect
Step 2 Insert the PPPExclusion details under <ControllablePreferences>, while specifying the Override value and the IP address of the PPP server. The address must be a well-formed IPv4 address. For example:
Chapter 3 Configuring AnyConnect Client FeaturesConfiguring Other AnyConnect Profile Settings
Configuring Other AnyConnect Profile SettingsTable 3-24 shows the default values and possible values for other parameters you can insert into the ClientInitialization section of the AnyConnect Client profile (.xml file).
Table 3-24 Other AnyConnect Client Initialization Tags
XML Tag Name Default Value1
1. AnyConnect uses the default value if the profile does not specify one.
Possible Values2
2. Insert the parameter value between the beginning and closing tags; for example, <CertificateStoreOverride>true</CertificateStoreOverride>.
User Controllable3
3. Anyconnect ignores the usercontrollable="true" string if the parameter does not support user control.
User Controllable by Default4
4. The AnyConnect Preferences dialog box displays the parameter values and lets users change them, depending on the value of the associated user control attribute. The user control attribute is optional. If you do not insert it, AnyConnect uses its default value. To permit or deny user control, insert the user control attribute inside the opening tag; for example, <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>.
OSs Supported
CertificateStoreOverride false true, false No n/a All
ShowPreConnectMessage false true, false No n/a All
MinimizeOnConnect true true, false Yes Yes All
LocalLanAccess false true, false Yes Yes All
AutoUpdate true true, false Yes No All
RSASecurIDIntegration5
5. AnyConnect client is compatible with RSA SecurID software versions 1.1 and higher. At the time of this release, RSA SecurID Software Token client software does not support Windows Vista and 64-bit systems.
